Knowledgebase: Technical Help
Configuring SSO (Single Sign-on)
Posted by Ondrej Vanek, Last modified by Ondrej Vanek on 11 December 2015 08:34 AM

The following must be done on both the domain controller and IceWarp Server: 

  • create type A record in your DNS for the URL of webmail (i.e.

  • create a “link” user in ActiveDirectory (AD) - it must be located under Users container and it must not have password expiration as well as change password on first logon set, for instance we create user: (userPrincipalName value before mapping)
  • on the domain controller (AD), open command line interface (CLI) and execute the following command:
    ktpass out c:\ -princ HTTP/ -mapUser mapOp set pass * -ptype KRB5_NT_PRINCIPAL
    pay attention to syntax as it is case sensitive - to keep the correct upper / lower case is essential; AD domain should be written with capitals
  • move file c:\ to IceWarp Server (the most suitable location is install_path/config/_keytabs, but it is not so important at this point); for the purpose of generating keytab file any file name can be used, however name that would be expected by IceWarp Server (explained later) is used in this example

  • on IceWarp Server go to domain properties (domain in our example case) - tab Directory Service and enable SSO
  • Kerberos service name must be filled in according to following pattern: <principal>/<icewarp_domain>@<AD_DOMAIN> (for our example it would be: HTTP/ - notice how service name and keytab file name match (slash is not allowed in file name so it is replaced with hash sign)
  • Remote account matching should be left at default value - “Match with username" - as that usually works but the method depends on your directory service configuration
  • Manage keytabs.. button opens content of keytab folder which is install_path/config/_keytabs; the keytab file generated on domain controller earlier should be copied here. Also, the file must have its name set accordingly at this point, for our example it is



The following must be done on the client side: 

  • add webmail URL to trusted sites, for instance in our case
    • in Firefox, visit about:config / search for network.negotiate-auth.trusted-uris and add the site there

    • in MSIE open the Internet Options dialog / Security tab / Trusted sites (do not require https:// if not necessary). Additionally Integrated Windows Authentication feature must be allowed (default, will allow Kerberos)


Now you can try to browse SSO dedicated URL of webmail (i.e. - if all went good, webmail of the same user as the one logged on to OS Windows will open. If not, Kerberos logs will become very usefull; turn them on in server Administration console: System / Logging / Debug tab / Kerberos

 known issues:

if source LDIF attribute value used for local username source contains dash, you have to enable checkbox: "add AD login to alias" and set "remote account matching" on: "match with alias".


© a.rusek, o.vanek


(15 vote(s))
Not helpful

Comments (0)